ClawHub

A2a Manager

Security checks across malware telemetry and agentic risk

Overview

The skill matches its agent-management purpose, but it needs Review because it can change persistent local and external task state and delete local workspaces without enough scoping or confirmation.

Install only if you are comfortable with an administrative skill that writes persistent OpenClaw workspace files and may use a Notion token to modify task pages. Back up ~/.openclaw before use, restrict any Notion token to the intended database, use explicit agent names, and require manual confirmation before deleting agents or changing external task state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad, common conversational terms such as "tạo agent," "quản lý agent," and "map," which can cause the skill to activate during ordinary discussion rather than an explicit administrative request. Because the skill controls agent creation, channel management, orchestration, and specialist spawning, accidental activation could lead to unintended administrative or workflow actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger-to-action table maps short natural-language phrases directly to sensitive operations without defining authorization, confirmation, or disambiguation rules. This makes it easy for ambiguous language to be interpreted as a command, especially in collaborative chats where users may mention these phrases descriptively rather than as an instruction.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description advertises creation of agents, management of Discord categories/channels/roles, binding agents to channels, spawning/disposal of specialists, and updating workspace mapping files, but it provides no user-facing safety warnings or approval controls. In this context, these are administrative and potentially destructive actions affecting external systems and workspace state, so omission of guardrails materially increases the risk of misuse or accidental damage.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The Notion task management section describes setup, creation, updating, and workflow operations but does not address what data may be stored, who can access it, or whether sensitive information should be excluded. Since task boards often contain internal project details, credentials-adjacent notes, or personal data, undocumented handling expectations can lead to inappropriate disclosure or retention.

Missing User Warnings

High
Confidence
90% confidence
Finding
delete_agent recursively removes a workspace directory with shutil.rmtree() and performs no confirmation, dry-run, or safety validation beyond deriving the path from agent_name. In an agent-management context, this can cause irreversible loss of agent state and files if invoked accidentally, with malformed names, or through higher-level automation that passes untrusted input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal